Product Section Direction - Security

1. You are here:
2. GitLab Direction
3. Product Section Direction - Security

On this page

• Section Overview
  • GitLab and the DevSecOps Lifecycle
  • Lowering the Cost of Remediation
  • Closing the Loop
  • Groups
  • Teams and Investments
    • Team members
    • Investments
  • Accomplishments, News, and Updates
    • Section & team member updates
    • Important PI milestones
    • Recent accomplishments
    • What’s ahead
• 3 Year Section Themes
  • Security Is A Team Effort
  • Shift Left. No, More Left Than That.
  • Shift Right. Yes, Right. Right Into Operations.
  • Provide Active Intelligence to Enable Data-Driven Decisions
  • BYOT - Bring Your Own (Security) Tools
  • Cloud native first
  • Improve OSS security standards
  • Emphasize usability and convention over configuration
  • Coordinate security across GitLab
• 1 Year Plan
  • What We Recently Completed
  • What We Are Currently Working On
  • What's Next For Us
  • What We're Not Doing
• Target audience
  • Today
  • Medium Term (1-2 years)
• Stages and Categories
  • Secure
    • Categories
      • SAST
      • Secret Detection
      • Code Quality
      • DAST
      • IAST
      • API Security
      • Fuzz Testing
      • Dependency Scanning
      • License Compliance
      • Vulnerability Database
      • Security Benchmarking
      • Attack Emulation
      • Vulnerability Management
    • Pricing
      • Core/Free
      • Premium/Silver
      • Ultimate/Gold
  • Protect
    • Categories
      • Container Scanning
      • Security Orchestration
    • Pricing
      • Free
      • Premium
      • Ultimate
• Upcoming Releases
  • 15.0 (2022-05-22)
    • Secure
    • Protect
  • 15.1 (2022-06-22)
    • Secure
    • Protect
  • ClickHouse Acceleration
    • Secure
    • Protect
  • 15.2 (2022-07-22)
    • Secure
    • Protect
  • 15.3 (2022-08-22)
    • Secure
    • Protect
  • 15.5 (2022-10-22)
    • Secure
    • Protect

Security visibility from development to operations to minimize risk

GitLab provides the single application organizations need to find, triage, and fix vulnerabilities as well as protect applications, services, and cloud-native environments. This enables organizations to proactively manage their overall security risk.

This empowers organizations as they can apply repeatable, defensible processes that automate security and compliance policies from development to production.

Section Overview

The Sec Section focuses on providing security visibility across the entire software development lifecycle and is comprised of the Secure and Protect stages of the DevOps lifecycle. This is accomplished by shifting security testing left with the Secure stage enabling developers to begin security scanning with their first written line of code. As applications and application updates are moved into production, the Protect stage provides SecOps and Ops teams the ability to mitigate attacks targeting the applications in cloud-native environments. The combination of both stages provides organizations with visibility into their security risk from the first line of code written to applications deployed within production.

GitLab and the DevSecOps Lifecycle

GitLab is uniquely positioned to fully support DevSecOps by providing a single application for the entire software development lifecycle. This includes both shifting application security testing (AST) left as well as protection capabilities for applications running within production.

GitLab’s single application completely maps directly to the DevSecOps lifecycle. The Secure Stage provides the Develop, Analyze, and Mitigate portions of the DevSecOps lifecycle, while GitLab's Protect stage provides the Protect portion. Together, GitLab supports all teams involved in delivering secure applications:

• Develop: Developers create new source code, including new features and bug fixes, and commit this code to a branch within the project. This step is supported by the Create stage of the DevOps lifecycle providing developers with source code management, code editors, and code review workflows.
• Analyze: Upon code commit, Secure scanners are automatically started and identify any new security findings with the delta code change. This enables developers to stay within context enabling them to understand the cause and effect of their code change. Secure scanners leverage the Verify stage of the DevOps lifecycle to provide scanning within the CI pipeline.
• Mitigate: Developers are provided with the details needed to understand how to remediate the newly introduced security findings. Developers are also offered automatic remediation where applicable.
• Protect: Security and operations teams can protect applications once they are deployed into cloud-native environments by scanning container images for vulnerabilities.

Lowering the Cost of Remediation

The earlier a security vulnerability can be remediated has both risk reduction and cost reduction benefits.

When security vulnerabilities are identified at the time of code commit, developers can understand how their newly introduced code has led to this new issue. This gives the developer a cause-and-effect enabling quicker resolution while not having the time hit of context switching. This is not true as security scanning is performed later in the software development lifecycle. New vulnerabilities may not be identified until weeks or months after they were added to the application while under development.

Time is not the only savings when shifting security left.

In “The Economic Impacts of Inadequate Infrastructure for Software Testing”, NIST estimated the cost of remediating software bugs at $59.5 billion/year. This is compounded when taking in the average time to remediate software bugs. In “Software Development Price Guide & Hourly Rate Comparison”, FullStack Labs estimates the average cost of a software developer at $300/hour. The following table outlines the cost to remediate software bugs at different stages of the software development lifecycle:

These costs are just the start of the financial impact when the software bug is also a software vulnerability. IBM, in partnership with the Ponemon Institute, put the average cost to remediate a data breach in 2020 at $3.86 million (USD). This does not take into consideration the reputation impact to the organization.

Closing the Loop

Having visibility into security risk in just development only provides you with half of the picture. Development and SecOps teams need to have a closed feedback loop enabling both teams to be successful. Development teams can gain insight into attacks targeting the applications they develop. This allows them to prioritize vulnerabilities correctly, enabling proactive resolutions to reduce risk. Likewise, SecOps teams can gain insight from their development counterparts, providing them with visibility into how the application works. This allows them to best apply proactive measures to mitigate attacks targeting the application until development can fix the vulnerability.

Closing the loop requires close collaboration, transparency, and efficiencies that only a single platform for the entire DevOps lifecycle can provide. Shifting security left while also providing protection for applications in production within a single application empowers teams to work closer together. Security is a team sport and teams working together can best reduce their organization’s overall security risk.

Groups

The Security Section is made up of two DevOps stages, Secure and Protect, and six groups supporting the major categories of DevSecOps including:

• Static Analysis - Assess your applications and services by scanning your source code for vulnerabilities and weaknesses.
• Dynamic Analysis - Assess your applications and services while they are running by leveraging the Review App available as part of GitLab’s CI/CD functionality.
• Composition Analysis - Assess your applications and services by analyzing dependencies for vulnerabilities and weaknesses, confirming only approved licenses are in use, and scanning your containers for vulnerabilities and weaknesses.
• Threat Insights - Holistically view, manage, and reduce potential risks across the entire DevSecOps lifecycle including Security Merge Request Views, Pipeline Security Reports, and Security Dashboards at the Project, Group, and Instance level.
• Container Security - Monitor and protect your cloud-native applications and services by leveraging context-aware knowledge to improve your overall security posture.
• Vulnerability Research - Leverage GitLab research to empower your Secure results by connecting security findings to industry references like CVE IDs.

Teams and Investments

Team members

The existing team members for the Sec Section can be found in the links below:

• Development
• User Experience
• Product Management
• Quality Engineering

Investments

Learn more about GitLab's investment into the Sec section by visiting our Product Investment page within the Product Handbook.

Accomplishments, News, and Updates

The following are the updates from the Sec Section for January 2022 (as presented in the monthly Product Key Review). A complete list of released features can be found on the Release Feature Overview page and a complete list of upcoming features can be found on the Upcoming Releases page.

Section & team member updates

• No new updates at this time

Important PI milestones

• Secure:Static Analysis, Secure:Dynamic Analysis, and Secure:Composition Analysis have met availability targets and stayed below Error Budget goals for five months running!

Recent accomplishments

• Static Analysis analyzer updates
• Gitleaks performance improvements
• Add Support for SAST to Security Orchestration Policies

What’s ahead

• Security Approval policies
• Inline Security training
• Show paths to dependencies MVC
• GA Container Scanning category support for scans against running containers
• Improve tracking accuracy of SAST, Secret Detection findings
• Browser-based DAST passive attack parity
• Fuzz Testing corpus management interface
• DAST Configuration UI Implementation
• Schedule DAST scans on demand
• Vulnerability Dismissal Types / Reasons

3 Year Section Themes

Security Is A Team Effort

Everyone benefits when security is a team effort as testing happens regularly, issues are found earlier, and code shipped is more secure. To make this possible, security must be approachable, not overburden teams, and results must be easy to interpret. Security testing tools and processes must be adapted to your developers (and not the other way around). This means bringing security into the workflow of your developers such that they can stay within their context without having unnecessary steps added to their daily work. Furthermore, results provided as security findings must be presented in a way that they can be interpreted without needing a PhD in cybersecurity. This includes providing enough detail to begin identifying the root cause (including identifying the section of code causing the security finding) and suggesting remediation steps (including automatic remediation) as well as pointing to industry standards related to the security finding. By implementing an integrated DevSecOps lifecycle with actionable results, security becomes everyone’s responsibility.

As examples, GitLab will provide:

• Security findings within the merge request view allowing developers to stay within their context.
• Security gates enabling the ability to require approval to merge when security findings are above a pre-set severity.
• Industry references with security findings to aid in root cause analysis and remediation.
• Automatic remediation, where applicable, enabling faster resolution of security findings.
• Summary views, or dashboards, showing the overall health of the project, group, and instance enabling security teams to contribute and interact with development teams.
• Historical reporting for security findings such that root cause can be identified and addressed, preventing recurring issues.

Shift Left. No, More Left Than That.

The “shift left” approach is not a new concept within software testing and DevOps best practices. It is commonly thought of when discussing the DevSecOps lifecycle. This usually includes security testing earlier in the software development lifecycle with the goal of identifying security vulnerabilities and weaknesses prior to shipping code to operations. Today’s techniques include static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), dependency scanning, and license compliance. The continuation of the “shift left” approach requires a harder shift left, bringing security testing as close as possible to the developer. This enables earlier detection of security vulnerabilities and weaknesses, thus lowering the cost of remediation (as well as reducing work for the entire team as security findings are addressed prior to reaching the QA and security teams).

As examples, GitLab will provide:

• Static analysis beyond traditional SAST functionality, enabling more ways to white-box test source code.
• Expanded identification functionality, enabling secret detection beyond API tokens, passwords, and cryptographic keys with improved secrets management leveraging cloud-native technologies.
• Real-time feedback to developers via integrated development environments (IDEs), enabling developers to write secure code prior to code commit.

Shift Right. Yes, Right. Right Into Operations.

Security testing doesn’t stop once code is shipped. New vulnerabilities, security weaknesses and, attacker techniques are constantly discovered, leaving operations and their associated applications and services open to being compromised. Also, as organizations continue to shift to the cloud and employ cloud-native strategies, new attack surfaces are exposed that did not exist within the traditional data center. These include items like cloud storage permissions and unwanted network services. Applications, services, and their associated cloud-native infrastructure need to be assessed just as a user (or an attacker) would interact with them. This means performing the same tasks that an attacker would perform including reconnaissance, vulnerability assessment, and penetration testing. Implementing a continuous assessment strategy of operations is needed to provide full visibility into all potential risk.

As examples, GitLab will provide:

• Dynamic analysis categories, including DAST and DAST API, providing the ability to assess the operations side of the DevOps lifecycle.
• New categories purposefully designed to assess the operations network including automatic penetration testing and vulnerability assessment functionality.
• Cloud-native assessment capabilities allowing users to truly understand their attack surface.
• Active monitoring of public key infrastructure (PKI), providing full visibility into the cryptographic health of your cloud-native environment (and associated containers).

Provide Active Intelligence to Enable Data-Driven Decisions

Security findings, without context, can lead to making incorrect decisions on remediation, leaving applications and services vulnerable. With more data made available, better decisions can be made while prioritizing security findings, enabling users to best manage their security risk. Furthermore, this enables developers to write secure code, build operations to package dependencies free of vulnerabilities, and security team members to test deeper than previously achievable. Leveraging machine learning provides active intelligence, enabling users to make smart, data-driven decisions at the right time, lowering overall security risk. Machine learning, to be successful, relies on big data to build accurate models. The GitLab community includes developers, build operators, and security teams all working together within their organizations to code, build, deliver and secure application and services going into operations. As a global community, developers can learn from each other to identify and better secure code. Dependency vulnerabilities and weaknesses can be avoided, and security teams can test smarter, faster, and deeper. Machine learning, powered by anonymized data, provides active intelligence enabling data-driven decisions.

As examples, GitLab will provide:

• Machine learning that will be opt-in when it relates to using anonymized user data from the GitLab community.
• Actionable intelligence to identify insecure coding practices to help developers write more secure code in real-time.
• Dynamic application security testing (DAST) tailored to the application or service being tested, identifying security findings which may have been missed with traditional testing techniques.
• Real-time data about software vulnerabilities and weaknesses related to technologies used within users’ projects, groups, and instances.
• Automatic remediation of discovered software vulnerabilities and weaknesses within project source code, dependencies (e.g., libraries and packages), and containers.
• Autogeneration of signatures and policies to address security findings within Secure Stage categories that can be automatically applied to Protect Stage categories.

BYOT - Bring Your Own (Security) Tools

At GitLab, we believe everyone can contribute and security is everyone’s responsibility. We empower GitLab users by providing security tools which include Static Analysis, Dynamic Analysis, Container Scanning, Dependency Scanning, and License Scanning. However, we recognize our users may have existing security tools and may want to continue to use them. As such, we strive to play well with others. Security tool vendors will be provided standardized components (e.g., APIs) within the GitLab complete DevOps platform enabling easy integration into our Security Dashboard and Merge Request controls including security approvals. This allows our users to have alternate security tools that either replace, or augment, our Secure tools.

As examples, GitLab will provide:

• A walkthrough (e.g., wizard) enabling users the ability to configure and enable integrations they wish to use as part of their DevSecOps processes.
• Standardize REST APIs, following CRUD principles, for integrating third-party security scanners the ability to start scanning via GitLab CI/CD as well as submit their security findings into the GitLab complete DevOps platform.
• Security vulnerability reporting framework, following JSON notation, allowing third-party security scanners to submit their security findings in such a way that their results can be integrated into Secure’s Security Dashboard and Merge Request controls including security approvals.

If you are interested in contributing such an integration, please create an issue so we can collaborate on questions and adding any enabling functionality.

Cloud native first

Protect will focus first on providing reactive security solutions that are cloud native. Whenever possible, Protect capabilities will be cloud platform agnostic, including support for self-managed cloud native environments.

For example, GitLab's current Protect capabilities leverage numerous open source cloud-native projects that integrate cleanly with Kubernetes to provide additional security in containerized environments. Any future expansion of security capabilities will come after the cloud native capabilities are mature.

Improve OSS security standards

Protect will contribute upstream improvements to the OSS projects whenever possible and practical to help everyone be more secure.

Emphasize usability and convention over configuration

Protect capabilities will be pre-configured with reasonable defaults out-of-the-box whenever possible. When not possible, they will be easy to configure either through code or through a guided UI workflow that is friendly to users without coding knowledge. Regardless of how the capabilities are configured, they will be stored as code for ease of management.

For example, GitLab's security policy editor supports editing policies in both a rule mode and in yaml mode

Coordinate security across GitLab

Protect capabilities will serve as a connection point for a seamless workflow spanning across different types of scanners and also across different features in GitLab. By facilitating data sharing and interoperability across GitLab's features, Protect can help solidify the advantages GitLab has to offer as a single application. For example, these areas might include the following:

• Facilitating a continuous experience for scanning across repositories, registries, and production environments.
• Centralizing security and compliance controls across GitLab, including merge request approvals, anomalous user activity, and anomalous pipeline/job activity.
• Leveraging data about production environment configuration to reduce false positives in scanners.
• Leveraging data about vulnerabilities in development to inform and drive threat mitigation in production.

1 Year Plan

What We Recently Completed

The Sec team has been actively delivering updates to help you reduce risk. The following are some highlights from recent GitLab releases:

• Next Generation SAST. We released a proprietary static application security testing engine, initially focused on reducing false positives in Ruby and Rails, that builds upon years of experience leveraging open source analyzers. This engine leverages program analysis techniques, including data and control flow analysis and a novel pattern extraction language, to eliminate vulnerabilities that may have been falsely reported by other integrated security tools. It also lays the groundwork for future integration of across scanning disciplines offered within GitLab for smarter, more actionable results.
• DAST API Beta. We beta-released API scanning capabilities based on technology gains from our acquisition of Peach Tech. This scanner will eventually fully replace OWASP ZAP as our API scanner, but in the immediate term gave users the benefit of enabling more API specification methods, more API language support, and additional authentication methods, as well as the ability to use Postman collections and HAR files to provide multiple options for defining what can be tested in the API.
• Infrastructure as Code (IaC) Scanning. We released an IaC scanner to address common misconfiguration issues in IaC templates. Initially, our scanner supports Terraform, Ansible, AWS CloudFormation, and Kubernetes and is based on the open-source Keeping Infrastructure as Code Secure (KICS) project.
• Policy Engine. We released project-level DAST and secret detection scan execution policies as a first iteration toward our long-term vision to provide a consistent security policy framework across all of GitLab.
• Vulnerability Management Usability. We've made multiple usability improvements to our vulnerability management workflows, including a change to the structure of our reporting format so that, regardless of scanner provenance, results are handled and displayed uniformly for the user in the UI.

What We Are Currently Working On

The Sec team is actively working to bring world class security to DevSecOps and the following outlines where we are currently investing our efforts:

• Application Security Testing (AST) Leadership - We will take a leadership position within the Application Security Testing (AST) market. This will be accomplished by focusing on moving Dynamic Analysis (DAST), API Security, Dependency Scanning, and Vulnerability Management categories to Complete maturity, as well as returning License Compliance to Viable maturity.
• Dogfooding - We will “practice what we preach”, including leveraging Secure Categories in all things GitLab does. This tight circle will provide immediate feedback and increase our rate of learning.
• Security for everyone - In order to make security accessible to everyone across the DevOps lifecycle, we will bring all Secure OSS scanners to Core (self-managed) / Free (GitLab.com).
• Security Orchestration - Provide a unified user experience for viewing, triaging, and resolving alerts from cloud-native environments while also enabling security policy management across development, staging, and production.

What's Next For Us

To meet our audacious goals, the Sec Section will focus on the following over the next 12 months:

• Differentiate on value - Running a security test is just the beginning. GitLab's unique visibility into the full picture of application code, configuration, and behavior puts us in a unique position to do many things: connect findings across scanning disciplines for higher-fidelity results, better evaluate the true risk of a finding, tie findings and behaviors back to the original code and code owners, and so on. We will start to leverage this advantaged position to develop value-add capabilities that only a platform like GitLab can offer.
• Holistic developer-first experience - We will capitalize on a unique opportunity to present results and activate workflows for developers and security professionals that standalone security products cannot replicate. We want to provide a first-class experience and enable users to make data-driven decisions to secure their applications and services as well as their enterprise. Our Security Dashboards and Merge Request Approvals is just the beginning.
• Cross-stage Security Policy Management - Allowing users to configure and manage security policies in a unified manner across their GitLab Workspace. This includes managing policies for applications running in production (such as managing network policies) as well as managing policies that specify when scans should be required to run.
• Cross-stage Security Alert Management - Allowing users to interact with a single dashboard to review and manage their Security Alerts across all of GitLab. This includes Alerts generated from production environments, Alerts generated from the results of scans, and other GitLab security-related Alerts.
• First-class Container Security - We will continue to build out our container scanning capabilities to provide GA support for production container scanning and reduce noise overall.

What We're Not Doing

The following will NOT be a focus over the next 12 months:

• Machine learning - Machine learning (ML) will be leveraged, as part of static analysis, to identify insecure coding practices and help developers write more secure code. This will be opt-in and will enable the power of the GitLab global community.
• Security services - The cybersecurity staffing shortage continues to grow with no solvable solution yet defined. To solve this issue, organizations have been relying on security services to fill this gap in their security processes. As part of Secure’s 3 Year Strategy, we want to address this for the GitLab community by offering cybersecurity augmentation powered by GitLab Secure categories.
• SIEM functionality - Security Information and Event Management (SIEM) solutions are a common tool leveraged by IT Ops and SecOps organizations to monitor for events within their production environments. The Protect stage will support exporting security events to external SIEM solutions, including the Monitor stage, as well as Monitor on-call functionality.
• Non-cloud native environments - Enterprises are undergoing cloud-native transformations shifting from traditional data centers to public cloud environments leveraging technologies like Kubernetes. Protect will focus on meeting enterprises where they are going and not focus on where they are coming from.

Target audience

GitLab identifies who our DevSecOps application is built for utilizing the following categorization. We list our view of who we will support when in priority order.

• 🟩- Targeted with strong support
• 🟨- Targeted but incomplete support
• ⬜️- Not targeted but might find value

Today

To capitalize on the opportunities listed above, the Sec Section has features that make it useful to the following personas today.

1. 🟩 Developers / Development Teams
2. 🟩 Security Teams
3. 🟨 SecOps Teams
4. 🟨 QA engineers / QA Teams
5. ⬜️ Security Consultants

Medium Term (1-2 years)

As we execute our 3 year strategy, our medium term (1-2 year) goal is to provide a single DevSecOps application that enables collaboration between developers, security teams, SecOps teams, and QA Teams.

1. 🟩 Developers / Development Teams
2. 🟩 Security Teams
3. 🟩 SecOps Teams
4. 🟩 QA engineers / QA Teams
5. 🟨️ Security Consultants

Stages and Categories

The Sec section is composed of two stages, Secure and Protect, each of which contains several categories. Each stage has an overall strategy statement below, aligned to the themes for Sec. Each category within each stage has a dedicated direction page plus optional documentation, marketing pages, and other materials linked below.

Secure

The Secure stage enables accurate, automated, and continuous assessment of your applications and services enabling you to proactively identify vulnerabilities and weaknesses to minimize your security risk. Secure is not an additional step in your process nor an additional tool to introduce to your process. it is woven into your DevOps cycle thus allowing you to adapt your security testing and processes to your developers (and not the other way around).

Categories

SAST

Static Application Security Testing scans the application source code and binaries to spot potential vulnerabilities before deployment using open source tools that are installed as part of GitLab. Vulnerabilities are shown in-line with every merge request and results are collected and presented as a single report. This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

Secret Detection

Check for credentials and secrets in commits. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

Code Quality

Automatically analyze your source code to surface issues and see if quality is improving or getting worse with the latest commit. This category is at the "minimal" level of maturity.

Documentation • Direction

DAST

Dynamic Application Security Testing analyzes your running web application for known runtime vulnerabilities. It runs live attacks against a Review App, an externally deployed application, or an active API, created for every merge request as part of the GitLab's CI/CD capabilities. Users can provide HTTP credentials to test private areas. Vulnerabilities are shown in-line with every merge request. Tests can also be run outside of CI/CD pipelines by utilizing on-demand DAST scans This category is at the "complete" level of maturity.

Priority: high • Documentation • Direction

IAST

Interactive Application Security Testing checks runtime behavior of applications by instrumenting the code and checking for error conditions. It is composed by an agent that lives inside the application environment, and an external component, like DAST, that can interact and trigger unintended results.

Priority: low • Direction

API Security

API Security focuses on testing and protecting APIs. Testing for known vulnerabilities with DAST API and unknown vulnerabilities with API Fuzzing, API Security runs against a live API or a Review App to discover vulnerabilities that can only be uncovered after the API has been deployed. Users can provide credentials to test authenticated APIs. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Fuzz Testing

Fuzz testing increase chances to get results by using arbitrary payloads instead of well-known ones. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Dependency Scanning

Analyze external dependencies (e.g. libraries like Ruby gems) for known vulnerabilities on each code commit with GitLab CI/CD. This scan relies on open source tools and on the integration with Gemnasium technology (now part of GitLab) to show, in-line with every merge request, vulnerable dependencies needing updating. Results are collected and available as a single report. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

License Compliance

Upon code commit, project dependencies are searched for approved and blacklisted licenses defined by custom policies per project. Software licenses being used are identified if they are not within policy. This scan relies on an open source tool, LicenseFinder and license analysis results are shown in-line for every merge request for immediate resolution. This category is at the "minimal" level of maturity.

Priority: medium • Documentation • Direction

Vulnerability Database

GitLab integrates access to proprietary and open-source application security scanning tools. In order to maintain the efficacy of those scans, we strive to keep their underlying vulnerability databases up-to-date.

Priority: high • Direction

Security Benchmarking

GitLab Secure stage benchmarking for measuring security effectiveness in detecting security findings.

Direction

Attack Emulation

Continuously assess your applications and services are not vulnerable to security threats through automated, real-world emulated scenarios to identify weaknesses in your attack surface

Priority: low

Vulnerability Management

View, triage, trend, track, and resolve vulnerabilities detected in your applications. This category is at the "viable" level of maturity.

Priority: high • Documentation • Direction

Pricing

Secure is focused on providing enterprise-grade application security testing (AST) capabilities to minimize overall risk. The intent is to provide enough value in paid features so as to allow Secure to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.

Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:

1. The Secure stage has a powerful potential to help improve the security of projects everywhere. Features with the potential to significantly improve the security posture of all projects will be highly prioritized and made available in an unpaid tier.
2. To continue to be good stewards in the open source community, any basic integration with open source projects will be available in an unpaid tier by default, along with the "table stakes" set of functionality required to allow that feature to be usable with GitLab. Any open source project integrations that currently exist in paid tiers will have a discussion opened about moving the integration to an unpaid tier.

Core/Free

This tier is the primary way to increase broad adoption of the Secure stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Core/Free tier when they meet one or more of the following criteria:

• The feature is primarily for an individual with a few small projects rather than meeting the needs of an organization or enterprise that is operating at scale
• The feature is provided by an integration with an open source project rather than being natively developed by GitLab
• The feature has the potential to increase the security posture of all GitLab projects in a significant way, or there is a reasonable ethical/moral obligation to make the feature available to all users
• The ongoing cost for GitLab to maintain and update the feature is relatively minimal

Some examples include:

• Basic installation and use of scanners, especially when the underlying scanner is taken from an open source project
• The basic ability to retrieve scan results in some way
• Documentation and directions on how to install and configure a scanner

Premium/Silver

This tier is not a significant part of Secure's pricing strategy.

Ultimate/Gold

This tier is the primary focus for the Secure stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that enable organizations to assess their overall security risk tend to be valued with equal weight. The types of capabilities that fall in the Ultimate/Gold tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to properly secure their code before pushing it into a production environment.

As a general rule of thumb, features will fall in the Ultimate/Gold tier when they meet one or more of the following criteria:

• The feature is focused on enabling an organization or enterprise to operate at scale rather than an individual with a few smaller personal projects
• The feature is natively developed or acquired by GitLab rather than being provided by an open source project
• The feature has a significant ongoing cost for GitLab to maintain and update the feature

Some examples include:

• Vulnerability management functionality, including Security Dashboards to aggregate, prioritize, and remediate findings as well as vulnerability workflows, including inline workflows, such as merge request and pipeline security reports, that help streamline and expedite the vulnerability remediation process
• Scanning capabilities that are not open source and provide value above what typical open source tools provide
• Enterprise features including summary reports, UI tools to simplify and streamline scanner configurations, and creation or enforcement of scanning policies
• Vulnerability research including a dedicated vulnerability database enabling better security scanner true positive detection rates

Protect

The Protect stage enables organizations to proactively monitor vulnerabilities in cloud-native environments to reduce overall security risk. Protect is a natural extension of your existing operation's practices and provides security visibility across the entire DevSecOps lifecycle. This visibility empowers your organization to apply DevSecOps best practices from the first line of code written and extends all the way through to greater monitoring and protection for your applications that are deployed in production.

Categories

Container Scanning

Check Docker images for known vulnerabilities in the application environment. Analyze image contents against public vulnerability databases using the open source tool, Clair, that is able to scan any kind of Docker (or App) image. Vulnerabilities are shown in-line with every merge request. This category is at the "viable" level of maturity.

Priority: medium • Documentation • Direction

Security Orchestration

Unified security policy management capabilities across all of GitLab's scanners and security technologies. Apply policies to enforce scans and to require security approvals when vulnerabilities are found. This category is at the "minimal" level of maturity.

Priority: medium • Documentation • Direction

Pricing

Protect is focused on providing enterprise-grade security capabilities to protect production environments. The intent is to provide enough value in paid features so as to allow Protect to contribute in a significant way over the next 3 years toward GitLab's company-level financial goals.

Although paid features are the primary focus, there are several reasons why features for unpaid tiers might be prioritized above paid features:

1. The Protect stage has a powerful potential to help improve the security of projects everywhere. Features with the potential to significantly improve the security posture of all projects will be highly prioritized and made available in an unpaid tier.
2. To continue to be good stewards in the open source community, any basic integration with open source projects will be available in an unpaid tier, along with the "table stakes" set of functionality required to allow that feature to be usable with GitLab.

Free

This tier is the primary way to increase broad adoption of the Protect stage, as well as encouraging community contributions and improving security across the entire GitLab user base.

As a general rule of thumb, features will fall in the Free tier when they meet one or more of the following criteria:

• The feature is highly useful for an individual with a few small projects rather than meeting the needs of an organization or enterprise that is operating at scale
• The feature is provided by an integration with an open source project rather than being natively developed by GitLab
• The feature has the potential to increase the security posture of all GitLab projects in a significant way, or there is a reasonable ethical/moral obligation to make the feature available to all users

Some examples include:

• Basic installation and use of the security capabilities, especially when the underlying technology leverages an open source project
• The ability to perform basic scans when an open source analyzer comprises the core component of the scanning capability
• Documentation and directions on how to configure and use open source tools within GitLab

Premium

This tier is not a significant part of Protect's pricing strategy.

Ultimate

This tier is the primary focus for the Protect stage as the security posture of an organization is typically a primary concern of the executive team and even the board of directors. Just as a major security incident has far reaching consequences that impact the entirety of an organization, the features and capabilities that successfully protect against those types of attacks tend to be valued with equal weight. The types of capabilities that fall in the Ultimate tier vs an unpaid tier should be those that are necessary for an organization, rather than an individual, to provide for adequate security of their production environment.

As a general rule of thumb, features will fall in the Ultimate tier when they meet one or more of the following criteria:

• The feature is focused on enabling an organization or enterprise to operate at scale rather than an individual with a few small projects
• The feature is natively developed by GitLab rather than being provided by an open source project
• The feature comes with a significant direct cost to GitLab to provide the capability to end users

Some examples include:

• A dashboard to aggregate alerts, along with analytics to prioritize those alerts and a workflow for responding to those alerts
• A UI-driven policy management editor, along with any analytics that are built to auto-suggest or auto-tune policies
• Enterprise-grade permissions and audit logging to monitor and limit any single individual's ability to make changes
• Capabilities that require a significant amount of compute or storage resources

Upcoming Releases

15.0 (2022-05-22)

Secure

• DAST CI/CD configuration improvements
• DAST Pre-scan verification Ultimate
• Auto-resolve vulnerabilities when not found in subsequent scans Ultimate
• SAST (Static Application Security Testing) Category Direction
• DAST CI/CD configuration improvements implementation Ultimate
• On-demand DAST configuration improvement - Implementation Issue Ultimate
• Prefer Semgrep findings over other analyzers Premium Ultimate
• Coverage guided fuzzing - Ruby Ultimate

Protect

• Remove need to install Starboard prior to production container scans Ultimate
• List Scan Result Policies in MR Approval Rule Settings Area Ultimate
• Migrate data from vulnerability-check to scan_result_policy
• Add scan_result_policy as an approval rule functionality
• Introduce Scan Result Security Policies Ultimate
• Bring Container Scanning to Free
• [Feature flag] Rollout of scan_result_policy Ultimate

15.1 (2022-06-22)

Secure

• Manually create a Vulnerability record Ultimate
• GraphQL Schema support Ultimate
• Add additional fields to issues created via DAST security scanning results Ultimate

Protect

• Interactive validation in security policy editor Ultimate
• Remove Container Network Security and Container Host Security Ultimate
• Help users select an initial policy type Ultimate
• Agent support for Container Network Security Ultimate
• Simplify Cluster Image Scanning Setup Ultimate
• Display Security Policy Errors for Cluster Image Scanning Ultimate
• Follow-on Improvements for the Security Policy Editor Ultimate
• Container Network Security - Viable to Complete
• Container Scanning category vision
• Container Scanning - Viable to Complete
• FE: Interactive validation in security policy editor Ultimate
• BE: Interactive validation in security policy editor Ultimate
• Extend Scheduled Scan Execution Policy to enforce scans on agents Ultimate
• Add application limits to scheduled security scan execution

ClickHouse Acceleration

Secure

• DAST CI/CD configuration improvements
• DAST Pre-scan verification Ultimate
• Auto-resolve vulnerabilities when not found in subsequent scans Ultimate
• Manually create a Vulnerability record Ultimate
• SAST (Static Application Security Testing) Category Direction

Protect

• Interactive validation in security policy editor Ultimate
• Remove need to install Starboard prior to production container scans Ultimate
• List Scan Result Policies in MR Approval Rule Settings Area Ultimate
• Remove Container Network Security and Container Host Security Ultimate
• Help users select an initial policy type Ultimate
• Agent support for Container Network Security Ultimate
• Simplify Cluster Image Scanning Setup Ultimate
• Display Security Policy Errors for Cluster Image Scanning Ultimate
• Follow-on Improvements for the Security Policy Editor Ultimate
• Migrate data from vulnerability-check to scan_result_policy
• Add scan_result_policy as an approval rule functionality
• Introduce Scan Result Security Policies Ultimate
• Consolidate Similar Container Scanning Findings Ultimate
• GitLab Container Registry Continuous Scanning for Latest Tag
• Bring Container Scanning to Free
• Container Network Security - Viable to Complete
• Container Scanning category vision
• Container Scanning - Viable to Complete

15.2 (2022-07-22)

Secure

• Continuous vulnerability scans Ultimate
• API Fuzz test Rails code in GitLab Ultimate

Protect

• Group Level Policy Management Ultimate

15.3 (2022-08-22)

Secure

• Vulnerability bulk status updates Ultimate
• Browser-based scanner for DAST
• Static Analysis Group Direction
• Allow Runner Tags to be Setup for On Demand DAST Ultimate
• Support gRPC testing with API Fuzzer

Protect

15.5 (2022-10-22)

Secure

• On-demand DAST configuration improvements

Protect

Last Reviewed: 2021-12-13
Last Updated: 2021-12-13